Tuesday, March 25, 2014

New Zero-day Vulnerability Used in Targeted Attacks against Word


"A remote code execution vulnerability (CVE-2014-1761) in MS Word is currently being exploited in the wild. "At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010," said Microsoft, which acknowledged that the vulnerability also exists in Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.

Dana Tamir, director of enterprise security at Trusteer, noted that the vulnerability can be exploited when Microsoft Word opens and parses specially crafted Rich Text Format (RTF) data. The exploit causes system memory corruption that enables the attacker to execute arbitrary code. An attacker who has successfully exploited this vulnerability could gain the same user rights as the current user.  As a result, that attacker can infect the victim's system with malware if a user simply opens the specially crafted RTF file.

The vulnerability could also be exploited through Microsoft Outlook. This is because Microsoft Word is the default email reader in most Outlook versions. In this case, previewing the message in Microsoft Outlook is enough to successfully exploit the vulnerability and download malware on the user’s machine.

A web-based scenario can also be used if the attacker creates a webpage that contains the malicious RTF-file, or if the malicious file is provided as content to websites that accept or host user-provided content or advertisements. Attackers may use this technique for conducting drive-by downloads and watering-hole attacks that infect website visitors.

Microsoft has posted a blog that discussed possible mitigations and temporary defensive strategies that can be used while the company is working on a security update.